Results 1 to 9 of 9
  1. #1
    Power Member
    Join Date
    Nov 2012
    Posts
    182

    SSL considerations - self-signed certificate

    With normal SSL transactions over HTTP it is possible for the user to add exceptions for incorrectly signed certificates to bypass SSL warnings during testing. This is very useful when the domain being used is not mentioned in the certificate (a fairly common issue when developing and testing).

    I would like to know if it is possible to do the same sort of thing with WSS and Lightstreamer?

    I would like to test my client/server combination in SSL mode, but the certificate will not necessarily be correctly signed. I don't care about that, I just care about encryption.

    Is this possible?

  2. #2
    Member
    Join Date
    Jul 2010
    Location
    Herzelia
    Posts
    4

    the ls internal web server

    Quote Originally Posted by kpturner View Post
    With normal SSL transactions over HTTP it is possible for the user to add exceptions for incorrectly signed certificates to bypass SSL warnings during testing. This is very useful when the domain being used is not mentioned in the certificate (a fairly common issue when developing and testing).

    I would like to know if it is possible to do the same sort of thing with WSS and Lightstreamer?

    I would like to test my client/server combination in SSL mode, but the certificate will not necessarily be correctly signed. I don't care about that, I just care about encryption.

    Is this possible?
    Did not get a chance to check that but i am pretty sure you can browse with https to the LS internal web server (https://your.push.dns.com) and accept the invalid cert warning.
    Your browser should support the fake cert now when an LS connection is initiated.

    A more complicated solution is to add the fake CA to your local trusted CAs, but if that doesnt ring a bell i guess its not for you.

    Hope that helps.

  3. #3
    Power Member
    Join Date
    Nov 2012
    Posts
    182
    Actually yes that is a very good point - however it seemed to connect without any warning at all even though I know the certificate is incorrectly signed for the domain.

  4. #4
    Power Member
    Join Date
    Nov 2012
    Posts
    182
    What I have found is that if the certificate is correctly signed it connects instantly. If not, it connects eventually (sometimes takes 30 seconds or more). Is this correct?

  5. #5
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    716
    Hi Kevin,

    I confirm that if you accept the invalid cert warning once for the Lightstreamer push URL (adding an exception rule in the browser) then WSS or HTTPS connections succeed without any additional warnings.

  6. #6
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    716
    I am not sure of the possible reasons for the delay, the connection should be instantaneous even with not signed certificates but for which the browser has an exception rule.
    It might be a particular setting of the browser makes additional checks against an invalid certificate?
    What browser are you using for this test?

  7. #7
    Power Member
    Join Date
    Nov 2012
    Posts
    182
    In this test case I am using Chrome, and I don't ever remember creating an exception for the domain that I am connecting to.....and it is a new PC. I will try to verify that - my memory is not what it used to be

  8. #8
    Power Member
    Join Date
    Nov 2012
    Posts
    182
    I can confirm that I have not added an exception or manually added the CA to my trust store. The connection still works, but it takes much longer to establish the connection. It even resorts to HTTP streaming by the looks of it. Other times it connects with web-socket streaming.

  9. #9
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    716
    I am slightly puzzled by this scenario. It seems that your chrome does not care about the invalid certificate and still allows the connection to start.
    I confirm you that the SSL ceritificate stuff are handled by the browser outside the Lighstreamer client library.

    Have you the opportunity to raise to DEBUG level the logger



    in this way we can investigate the dynamics of the SSL handshake and maybe figure out where all that time is lost.

 

 

Similar Threads

  1. using a Self Signed SSL on Android Client
    By patrickl in forum Client SDKs
    Replies: 4
    Last Post: December 20th, 2013, 06:06 PM
  2. Replies: 4
    Last Post: September 25th, 2013, 11:19 AM
  3. SSL certificate compatibility list
    By anselme in forum General
    Replies: 6
    Last Post: February 12th, 2013, 04:46 PM
  4. Keystore certificate alias
    By pwestlake in forum General
    Replies: 1
    Last Post: November 21st, 2008, 12:31 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT +1. The time now is 07:43 PM.